This series focuses on how small to mid-sized enterprises manage common threats within a 24-hour period. In this installment, we learn how one SME deals with its social engineering attack crisis and prevents future ones from happening.
Julian Elko seemed to be having a bad day. He was going to his first day on the job and he had forgotten his key card and misplaced his manager’s phone number…
Or had he?
Julian arrived at the Velocitech Office and explained his predicament to the receptionist with equal parts charm and apology. She was able to give him a temporary card, and said that he would have to deal with the manager on his own. Using the card, Julian made his way to his manager’s office; but, it just so happened that his manager was on vacation for the week, so he didn’t get to shake hands with the new boss man.
Because he was new and hadn’t met anyone yet who could show him around, Julian was unsure of which cubicle was his so he wandered about checking in with his co-workers, striking up conversations and basically figuring out what was expected of him in his new position.
The manager had apparently forgotten to tell anyone that Julian was starting, so he didn’t have a user account created. Luckily, a helpful employee logged in with her credentials so he could get to work. Although he had access now, Julian didn’t have any job assignments yet. So, he decided to get busy by cleaning up the office. He went around to every cubicle and room, including the boardroom, gathering up trash and taking it to the compactor.
Social Engineering Attack
Julian’s first day on the job had gone much better than expected—but the reality was he didn’t work for Velocitech. If anything, you might say that Julian was "self-employed." Despite not being a true employee, between the information he grabbed from the trash and the passwords he learned from watching over employees’ shoulders, Julian gained unrestricted access to Velocitech’s systems.
He snuck into Velocitech’s computer network without any hacking skills whatsoever; he depended upon good old-fashioned social engineering. In other words: He ran a con. He relied on the employees’ human nature to ingratiate himself with them and gather bits and pieces of information through a variety of methods.
-
Dumpster diving
Julian’s seemingly altruistic/proactive act of cleaning the office allowed him access to the conference room, manager’s office, and even the receptionist’s desk, where he was able to search for jotted down passwords and usernames. He took the wealth of information and placed it somewhere else for later retrieval, rather than in the compactor as expected. -
Shoulder surfing
While he was wandering the work area striking up conversations, he was also asking questions that would get employees to log into secure areas. He would watch over their shoulders as they typed in their credentials.
If these methods had not worked, Julian had a fallback plan.
-
Reverse social engineering
This is a variation on what you frequently see on television and the movies. The protagonist (or the antagonist, depending on the movie) calls or shows up at the target’s office and passes himself or herself off as the maintenance man, computer tech, firemen, etc. Cinematically speaking, this works especially well if he or she starts a fire, releases cockroaches, thereby creating a situation in which his or her services are desperately needed.
The best part about reverse social engineering is that if it goes well, victims often don’t even know they have been compromised. (Julian initially planned to show up as pest control after releasing a couple of rats on the complex.)
Social engineering prevention
There’s a twist to Velocitech’s story, though… fortunately for the company, its manager had secretly hired Julian for a specific job—to find out how secure the business really was.
After the manager returned from "vacation," the undercover operative had a chance to meet with Velocitech’s manager and share his findings. The manager was understandably concerned that Julian could infiltrate his network and abscond with so much information so easily; so, he asked Julian to help him create a defense plan.
Julian pointed out that a solid and enforced company policy would have made things much more difficult for him. Policies should cover areas like information access controls, escorting visitors, account setup, ID loss and creation, and password changes. Here are some additional examples:
-
An entry should only be allowed with a key card. Temporary key cards should require a signature confirmation and valid ID.
-
Employees should never share their logins, nor should they log in for another person (even a new employee). IT needs to manage the setting up of new employees.
-
All documents, important and seemingly unimportant, should be shredded before they’re thrown away.
-
Employees need to undergo security awareness training to recognize certain signs—what types of information social engineers are looking for and what requests should raise alarm (e.g., any time someone asks for another person’s password is a reason for suspicion).
The best social engineering prevention policies
The best policy system exists as a multi-layered, tiered structure. If a criminal breaches one level of access, there needs to be several more ahead of it that can ultimately stop him or her from stealing data. Additionally, the intensity of training should match the employee’s position within the organization. Key personnel will obviously need to follow a stricter line than employees who have limited access to valuable information.
Finally, policy implementation isn’t enough. Measures must be taken to make sure employees are following the new rules. Supervisors should follow up with their co-workers and ensure they not only recognize the warning signs but document and report them appropriately. Creating a climate of caution amongst staff will carry a long way to preventing folks like Julian from accessing precious data.